@milkdown/plugin-emoji is vulnerable to Cross-Site Scripting (XSS)
54
Medium Risk
The emoji node stores raw pasted innerHTML unsanitized at the parseDOM entry point and later assigns it to innerHTML on a live element during toMarkdown serialization, so an <img onerror=...>-style payload executes on the next serialization cycle even though the element is never attached to the document. Untrusted emoji markup thereby reaches a live DOM sink without sanitization. The fix sanitizes the value with DOMPurify at the untrusted parseDOM entry so it never enters document state, and parses via an inert <template> (with a sanitize call for defense in depth) during serialization.
You are affected if you are using a version that falls within the vulnerable range and accept untrusted pasted HTML or externally supplied emoji markup that is stored and later serialized.
@milkdown/plugin-emoji is vulnerable to Cross-Site Scripting (XSS) in versions 7.0.0 - 7.21.2.
Upgrade the @milkdown/plugin-emoji library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant